[Mediawiki-l] A restricted wiki with ActiveDirectory - advice onideal setup?

Lane, Ryan Ryan.Lane at ocean.navo.navy.mil
Fri Aug 31 15:09:54 UTC 2007


> If we use ActiveDirectory for access control, this provides login
> security, but we can't revoke access instantly (since the user can
> select "Remember my login on this computer" ...or is there a way to
> destroy another user's session?). We also cannot control read-only vs.
> read-write access at this level, I think.
> 
> This is solved if we also use MediaWiki user rights for access
control;
> but then to add a new user, you need to add them to the NT security
> group AND bestow the appropriate MediaWiki user rights. It would be
> cleaner to maintain permissions in just one place.  (This is my
favorite
> approach at the moment, however.)
> 

The LDAP Authentication plugin supports group restriction, and group
synchronization. You can limit logins to a few specific groups (through
group restriction), and allow read-only for some, and read-write for
others (through group synchronization).

Notice that you only need to set the groups up with the proper
permissions in MediaWiki. When a user is added into the appropriate LDAP
group, the wiki will grant permissions appropriately on successful
login.

As for the "Remember my login..." feature, I'd look at a way to disable
it if you are worried about sessions holding the group information
(which *WILL* happen). You may be able to get way with limiting the
amount of time that cookie is valid for.

V/r,

Ryan Lane



More information about the MediaWiki-l mailing list